DISA STIG: Update RHEL8 V2R6 → V2R7

[macko1]

Description:

• Bump control file, stig, and stig_gui profiles to V2R7
• RHEL-08-010010: update policy with "not connected to
  internet" note
• RHEL-08-010572: vfat is required for EFI partitions - vfat cannot be excluded from this rule
• RHEL-08-040020: update rule and policy to use blacklist
  and /bin/false instead of /bin/true
• RHEL-08-040060: update rule and policy, fix grammar
• RHEL-08-040283: enforce kernel.kptr_restrict=1 instead of
  1 or 2; add tests

Rationale:

• DISA released RHEL 8 STIG V2R7; this PR aligns our content
  with the updated benchmark text and check logic.

Review Hints:

• Build and verify the data stream:
  $ ./build_product rhel8 --datastream-only

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

OCIL for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' differs.
--- ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1
+++ ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1
@@ -1,6 +1,6 @@
-Verify that the IPSec service uses the system crypto policy.
+Verify that the IPsec service uses the system crypto policy.
 
-If the ipsec service is not installed is not applicable.
+If the IPsec service is not installed, this requirement is not applicable.
 
 Check to see if the "IPsec" service is active with the following command:
 

bash remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -2,13 +2,6 @@
 if ( ! ( { rpm --quiet -q kernel-core ;} && { rpm --quiet -q rpm-ostree ;} && { rpm --quiet -q bootc ;} && { ! rpm --quiet -q openshift-kubelet ;} && ([ -f /run/ostree-booted ] || [ -L /ostree ]) ) && ! ( [ -f /.dockerenv ] || [ -f /run/.containerenv ] ) ) && { ( findmnt --kernel "/boot/efi" > /dev/null || findmnt --fstab "/boot/efi" > /dev/null ); }; then
 
 function perform_remediation {
-
-    # Check if the partition is mounted with an excluded filesystem type
-    if findmnt --kernel --raw --evaluate --output=FSTYPE "/boot/efi" | grep -q "^vfat$"; then
-        # The mount point /boot/efi is using vfat filesystem
-        # which is excluded from this requirement. No remediation needed.
-        return 0
-    fi
 
     
         # the mount point /boot/efi has to be defined in /etc/fstab

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid' differs.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
@@ -1,52 +1,6 @@
 - name: Gather the package facts
   package_facts:
     manager: auto
-  tags:
-  - CCE-86038-7
-  - DISA-STIG-RHEL-08-010572
-  - NIST-800-53-CM-6(b)
-  - NIST-800-53-CM-6.1(iv)
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_boot_efi_nosuid
-  - no_reboot_needed
-
-- name: 'Add nosuid Option to /boot/efi: Check filesystem type of /boot/efi'
-  ansible.builtin.command: findmnt --kernel --raw --evaluate --output=FSTYPE '/boot/efi'
-  register: fs_type_check
-  failed_when: fs_type_check.rc > 1
-  changed_when: false
-  check_mode: false
-  when:
-  - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
-    and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
-    and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
-    ["docker", "lxc", "openvz", "podman", "container"] ) )
-  - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
-  tags:
-  - CCE-86038-7
-  - DISA-STIG-RHEL-08-010572
-  - NIST-800-53-CM-6(b)
-  - NIST-800-53-CM-6.1(iv)
-  - configure_strategy
-  - high_disruption
-  - low_complexity
-  - medium_severity
-  - mount_option_boot_efi_nosuid
-  - no_reboot_needed
-
-- name: 'Add nosuid Option to /boot/efi: Set fact for excluded filesystem'
-  set_fact:
-    is_excluded_fstype: '{{ fs_type_check.rc == 0 and ''vfat'' in fs_type_check.stdout_lines
-      }}'
-  when:
-  - ( not ( "kernel-core" in ansible_facts.packages and "rpm-ostree" in ansible_facts.packages
-    and "bootc" in ansible_facts.packages and not "openshift-kubelet" in ansible_facts.packages
-    and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
-    ["docker", "lxc", "openvz", "podman", "container"] ) )
-  - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -71,7 +25,6 @@
     and "ostree" in ansible_proc_cmdline ) and not ( ansible_virtualization_type in
     ["docker", "lxc", "openvz", "podman", "container"] ) )
   - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -98,7 +51,6 @@
   - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length > 0)
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -133,7 +85,6 @@
   - ("--fstab" | length == 0)
   - device_name.stdout is defined and device_name.stdout_lines is defined
   - (device_name.stdout | length == 0)
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -159,7 +110,6 @@
     ["docker", "lxc", "openvz", "podman", "container"] ) )
   - '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
   - mount_info is defined and "nosuid" not in (mount_info.options | default(''))
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572
@@ -193,7 +143,6 @@
   - mount_info is defined
   - (device_name.stdout is defined and (device_name.stdout | length > 0)) or ("--fstab"
     | length == 0)
-  - not is_excluded_fstype | default(false)
   tags:
   - CCE-86038-7
   - DISA-STIG-RHEL-08-010572

OCIL for rule 'xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled' differs.
--- ocil:ssg-kernel_module_uvcvideo_disabled_ocil:questionnaire:1
+++ ocil:ssg-kernel_module_uvcvideo_disabled_ocil:questionnaire:1
@@ -1,6 +1,6 @@
-If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this requirement is not applicable.
+If the device or Red Hat Enterprise Linux 8 does not have a camera installed, this is not applicable.
 
-This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.
+This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local Authorizing Official (AO) decision.
 
 This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.
 
@@ -8,12 +8,13 @@
 
 For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.
 
-If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:
+If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software.
 
-Verify the operating system disables the ability to load the uvcvideo kernel module.
+Verify the operating system disables the ability to load the uvcvideo kernel module and ensure that the uvcvideo protocol module is disabled with the following command:
 
-$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true"
+$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "blacklist"
 
-install uvcvideo /bin/true
+/etc/modprobe.d/blacklist.conf:install uvcvideo /bin/false
+/etc/modprobe.d/blacklist.conf:blacklist uvcvideo
       Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use?
       
OCIL for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' differs.
--- ocil:ssg-sysctl_kernel_kptr_restrict_ocil:questionnaire:1
+++ ocil:ssg-sysctl_kernel_kptr_restrict_ocil:questionnaire:1
@@ -1,10 +1,9 @@
 The runtime status of the kernel.kptr_restrict kernel parameter can be queried
 by running the following command:
 $ sysctl kernel.kptr_restrict
-The output of the command should indicate either:
+The output of the command should indicate:
 kernel.kptr_restrict = 1
-or:
-kernel.kptr_restrict = 2
+
 The output of the command should not indicate:
 kernel.kptr_restrict = 0
 
@@ -17,9 +16,8 @@
 $ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
 The command should not find any assignments other than:
 kernel.kptr_restrict = 1
-or:
-kernel.kptr_restrict = 2
+
 
 Conflicting assignments are not allowed.
-      Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0?
+      Is it the case that the kernel.kptr_restrict is not set to 1 or is configured to be 0?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
@@ -25,19 +25,17 @@
 
 SYSCONFIG_FILE='/etc/sysctl.d/kernel_kptr_restrict.conf'
 
-sysctl_kernel_kptr_restrict_value=''
-
 
 #
 # Set runtime for kernel.kptr_restrict
 #
 if ! { rpm --quiet -q kernel rpm-ostree bootc && ! rpm --quiet -q openshift-kubelet && { [ -f "/run/.containerenv" ] || [ -f "/.containerenv" ]; }; } ; then
-    /sbin/sysctl -q -n -w kernel.kptr_restrict="$sysctl_kernel_kptr_restrict_value"
+    /sbin/sysctl -q -n -w kernel.kptr_restrict="1"
 fi
 
 #
-# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to appropriate value
-#	else, add "kernel.kptr_restrict = value" to /etc/sysctl.conf
+# If kernel.kptr_restrict present in /etc/sysctl.conf, change value to "1"
+#	else, add "kernel.kptr_restrict = 1" to /etc/sysctl.conf
 #
 
 sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
@@ -47,7 +45,7 @@
 stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.kptr_restrict")
 
 # shellcheck disable=SC2059
-printf -v formatted_output "%s = %s" "$stripped_key" "$sysctl_kernel_kptr_restrict_value"
+printf -v formatted_output "%s = %s" "$stripped_key" "1"
 
 # If the key exists, change it. Otherwise, add it to the config_file.
 # We search for the key string followed by a word boundary (matched by \>),

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict' differs.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
@@ -14,11 +14,6 @@
   - medium_severity
   - reboot_required
   - sysctl_kernel_kptr_restrict
-- name: XCCDF Value sysctl_kernel_kptr_restrict_value # promote to variable
-  set_fact:
-    sysctl_kernel_kptr_restrict_value: !!str 
-  tags:
-    - always
 
 - name: Restrict Exposed Kernel Pointer Addresses Access - Set fact for sysctl paths
   ansible.builtin.set_fact:
@@ -69,7 +64,7 @@
     kernel.kptr_restrict to correct value
   ansible.builtin.shell:
     cmd: find -L {{ sysctl_paths | join(" ") }} -type f -name '*.conf' | xargs grep
-      -HP '^\s*kernel.kptr_restrict\s*=\s*{{ sysctl_kernel_kptr_restrict_value }}$'
+      -HP '^\s*kernel.kptr_restrict\s*=\s*1$'
   register: find_correct_value
   check_mode: false
   changed_when: false
@@ -138,10 +133,10 @@
   - sysctl_kernel_kptr_restrict
 
 - name: Restrict Exposed Kernel Pointer Addresses Access - Ensure sysctl kernel.kptr_restrict
-    is set
+    is set to 1
   ansible.posix.sysctl:
     name: kernel.kptr_restrict
-    value: '{{ sysctl_kernel_kptr_restrict_value }}'
+    value: '1'
     sysctl_file: /etc/sysctl.d/kernel_kptr_restrict.conf
     state: present
     reload: true

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.

[github-actions]

Change in Ansible shell module found.

Please consider using more suitable Ansible module than shell if possible.